1.6a Meeting Follow Up Doshi

Question 1

(1) Auditee has taken corrective action immediately after the identification of a reportable finding. The auditor should:

A. exclude the finding in final report without verifying corrective action.
B. include the finding in the final report
C. verify corrective action and if appropriately closed, same to be excluded from the report.
D. call of inclusion/exclusion to be taken after discussion of finding with auditee management.

Answer 1

B?

Question 2

(2) How should the IS auditor proceed if prior audit report is without work papers?

A. Postpone the audit till workpapers are available.
B. Continue audit while relying on previous audit report.
C. Controls for highest risk area to be retested.
D. Inform audit management and propose retesting the controls.

Answer 2

D?

Question 3

(3) Auditor should hold the closure meeting with the objective of:

A. discussion on audit observations.
B. correction of deficiencies.
C. assessing audit staff performance.
D. presenting the final audit report.

Answer 3

A?

Question 4

(4) For communication of audit results, IS Auditor is ultimately responsible to:

A. Legal Authorities
B. Senior Management and/or audit committee
C. manager of the audited entity
D. compliance manager

Answer 4

B?

Question 5

(5)Auditor should hold the closure meeting with the objective of:

A. Allowing auditees to implementing recommendations as soon as possible
B. Allowing auditors to explain complicated findings before a written report is issued
C. Allowing auditors to buy confidence of management.
D. To ensure that there have been no misunderstandings or misinterpretations of facts

Answer 5

D?

Question 6

(6) In case of non-agreement by department manager over audit findings, which of the following should be the first action?

A. Once again test control to validate the audit finding.
B. Ask a third party to validate the audit finding.
C. Include the finding in the report with the department manager’s comments.
D. Revalidate the supporting evidence for the finding.

Answer 6

D?

Question 7

(7) Main reason for meeting with auditees prior to formally release the audit report is to:

A. ensure all important issues are covered.
B. gain agreement on the findings.
C. to obtain feedback on audit procedures.
D. to finalise structure of final audit report.

Answer 7

A?

Question 8

(8) IS auditor finds that critical disaster recovery plan (DRP) does not cover all of the systems. IS Auditor should:

A. inform the management and evaluate the impact of not covering all the systems.
B. postpone the audit.
C. continue audit of existing disaster recovery plan (DRP)
D. call for explanation from management for not covering all the systems.

Answer 8

A?

Question 9

(9) Main reason for meeting with auditees prior to formally release the audit report is to:

A. seek management approval for corrective action plan.
B. validate accuracy of the audit findings.
C. provide assistance to management in implementation of corrective actions.
D. prioritize the resolution of audit findings.

Answer 9

B?

Question 10

(10) While reviewing an application, IS auditor observed minor weakness in database which is out of the scope for the audit. IS auditor should:

A. include that database in the scope.
B. note down the weakness for future review.
C. work with database administrator to correct the weakness.
D. report the weakness in the audit report.

Answer 10

D?

Question 11

(11) While reviewing a finance application, IS auditor observed major weakness in change management application supporting the finance application. IS auditor should:

A. continue review of finance application and report deficiency of change management application to IT manager.
B. complete review of finance application and ignore deficiency as it is not part of the audit scope.
C. formally report deficiency in audit report.
D. cease audit activity until deficiency is corrected.

Answer 11

A?

Question 12

(12) Which of the following is the MAIN objective of an IS auditor discussing the audit findings with the auditee:

A. briefing about audit results.
B. finalizing timelines for corrective actions.
C. confirming audit findings and propose a course of corrective action.
D. identifying compensating controls for the audit findings.

Answer 12

C?

Question 13

(13) IS auditor is reviewing critical application prior to implementation. Vulnerability assessment and penetration test by security experts are in process and results will not be available prior to implementation. Which of the following is the BEST option for the IS auditor?

A. issue the audit report on the basis of available information highlighting the potential security weakness and the requirement for follow up audit testing.
B. issue the audit report ignoring the areas where evidence are not available.
C. request for delay of implementation date until evidence are available.
D. cease the audit due lack of evidence.

Answer 13

A?

Question 14

(14) IS auditor observed inadequate controls for remote access for a critical application. Management disagrees stating that intrusion detection system (IDS) and firewall controls are in place. Which of the following is the BEST option for the IS auditor?

A. Revised the finding considering management views.
B. Withdraw the finding because the IDS controls are in place.
C. Withdraw the finding because firewall rules are monitored
D. Document audit findings in the audit report.

Answer 14

D?

Question 15

(15) IS auditor should ensure that the audit findings are supported by:

A. response from auditee management
B. risk assessment document of the organization.
C. audit evidence.
D. work papers of other auditors.

Answer 15

C?

Question 16

(16) In cases where there is disagreement regarding the impact of a finding, an IS auditor should:

A. take a statement from auditee accepting full legal responsibility.
B. explain impact of the findings and risk of not correcting it.
C. inform disagreement to the audit committee for resolution.
D. exclude the finding considering auditee’s view.

Answer 16

B?

Question 17

(17) An organization has agreed to perform remediation related to high-risk audit findings. However, remediation may not be completed within the next audit cycle. Which of the following is the BEST way for an IS auditor to follow up on the activities?

A. Provide management with a remediation timeline and verify adherence.
B. Conduct a review of the controls after the projected remediation date
C. Continue to audit the failed controls according to the audit schedule
D. Review the progress of remediation on a regular basis

Answer 17

C?

Question 18

(18) To review adequacy of management’s remediation action plan, which of the following should be the MOST important consideration?

A. Approval of remediation action by senior management.
B. Man-days required for future audit work
C. Potential cost savings
D. Criticality of audit findings

Answer 18

A?

Question 19

(19) Which of the following is the BEST way to schedule for follow-up for audit findings?

A. Schedule a follow-up audit based on closure due dates.
B. Schedule a follow-up audit only during next audit cycle.
C. Schedule a follow-up audit on surprise basis to determine whether remediation is in progress.
D. Schedule a follow-up audit when findings escalate to incidents.

Answer 19

A?

Question 20

(20) PRIMARY purpose of conducting follow-up audits is:

A. To validate the correctness of reported findings
B. To validate remediation action.
C. To validate risk assessment.
D. To gather evidence for management reporting

Answer 20

B?